Websense® Security Labs™ researchers are continuing the analysis of a sophisticated malware attack which has been observed to conduct espionage against Russian, Saudi Arabian, and Irish targets, amongst others.

Regin, as the malware family (or toolkit) has been named, is both modular and multi-stage, making the malware extremely customizable. Regin also uses advanced techniques to hide its activity, including custom encryption and the use of custom UDP and TCP protocols.

At the time of writing we can confirm our knowledge of publically-available Indicators of Compromise used in both version 1 of Regin (pre-2011) and version 2 of Regin (2013 onwards) and we have committed those to ACE, our Advanced Classification Engine.

Threat Modelling

When such sophisticated attacks are broken down into their constituent parts, we look to our threat modelling system of the 7 Stages of Advanced Threats. This helps us to build a clearer picture of risk based on information known at any given time.

7 stages of Advanced Threats:

For Regin we can arrive at the following mapping :

Stage 1 (Reconnaissance): The authors of Regin are believed to be knowledgeable about the industry sectors targeted and have tailored the malware to suit. Further, due to the modular nature of the attack, components can be added to suit the approach required by the malware authors based on their reconnaissance discoveries. It would seem that the number of target organizations is currently low.

Stage 2 (Lure): Uncertainty remains around the lures used by the Regin toolkit, but it is thought to involve compromised websites and a means to get those in front of the target. Most likely the lure would arrive via email, instant message communications, or drive-by attacks hosted on compromised websites.

Stage 3 (Redirect): Due to the varying options around the lure stage it is uncertain whether the redirect stage is used by Regin. Not all malware families subscribe to the all of the prescribed 7 Stages.

Stage 4 (Exploit Kit): Exploit code is often used to deliver payloads onto vulnerable machines. It is not always necessary for a vulnerability to be abused by malware, but it could be a possibility with the Regin toolkit considering its advanced nature.

Stage 5 (Dropper): Once the dropper has been deployed, Regin offers a multi-stage download-and-decrypt process to deliver its system files onto the infected machine. Note that it has been reported that non-traditional file storage areas such as the registry are used by Regin during its configuration phase. The security community is still hunting for the illusive dropper file, although we do have knowledge of, and have committed to our protection engine, multiple device drivers used in the payload's download process.

Stage 6 (Call Home): Regin's control communication is not just specific to the HTTP protocol. The use of UDP and TCP have also been observed. Further, custom encryption based on existing algorithms seek to hide the transmission of stolen data from solutions not looking out for the use of such custom encryption.

Stage 7 (Data Theft): Reports show that data stolen by the toolkit is not always committed to disk, instead sealed in memory only making analysis difficult.

Conclusion

Regin uses many complex methods to evade detection and make analysis difficult. The observed trend indicates the complexity of such malware will continue to increase as malware authors fine-tune their skills and adopt such modular and multi-stage malware.

As we continue our analysis and discover further Indicators of Compromise, we shall continue to enhance our protection using ACE, our Advanced Classification Engine. We have configured our ThreatSeeker® Intelligence Cloud to seek out further Indicators of Compromise and we are using technologies such as Yara to help achieve that and supplement our own analytics.

Websense Security Labs™ researchers have discovered a widespread cybercrime campaign utilizing the Mevade malware that appears to be originating from Russia and Ukraine and primarily targeting the business services, government, manufacturing, and transportation sectors in the US, UK, Canada, and India.

In this post we analyze the malware, command and control characteristics, and attack infrastructure used in this campaign.

Executive Summary

Websense research performed on 3rd party feeds indicates that this campaign has infected hundreds of organizations and thousands of computers world-wide and appears to be used for a variety of purposes, including redirecting network traffic and click fraud, as well as search result high-jacking. However, the extensible Mevade malware provides a very capable mechanism for data theft through reverse proxying capabilities. Websense customers are protected against attacks such as this at multiple stages of the attack cycle, including attack infrastructure and C2 protocol.

Websense Labs researchers have observed a massive cyber campaign that appears to have originated from Russia and the Ukraine beginning around July 23, 2013, and that continues today

The malware analysis of Mevade below shows use of a reverse proxy capability (similar to Shylock), indicating a very flexible dropper that is well suited to rerouting network traffic, targeted theft of information, and facilitating lateral movement through target networks by creating a network-level backdoor

We have observed the command and control infrastructure, detailed below, hosting malware and exploits such as CVE-2012-4681, dating back to August 2012

We have observed links with this campaign's malware (7C5091177EA375EB3D1A4C4A2BBD5EB07A4CC5CC) are associated with the large spike in Tor (Onion Router) which was presumably providing anonymity for the cyber criminals C&C servers in August 2013

The heavy use of attack infrastructure (C2 servers) located in Ukraine and Russia and Mevade malware links this group to a potentially well-financed cyber-crime gang operating out of Kharkov, Ukraine and Russia

Special thanks to Websense Labs Researchers Jack Rasgaitis and Gianluca Giuliani for their contributions to this report.

Targeted Industries

Targeted Locations vs. Command and Control Infrastructure

Malware Callbacks

The malware calls back with GET requests of the following example format:

http://updsvc.net/updater/3ad219fe94fbcaba3687c5298358998d/2

A signature can be built with /updater/[32 random characters]/[1 or 2]

Examples:

/updater/28d949f1d82631dac4539d5d1ac21d6c/2

/updater/5eafaed947ea36a0ccec58e788a77b35/2

/updater/389b71b07d4d376a70952a1b1c571d68/2

/updater/01e8d75a7a368f854bcef52136985092/2

/updater/660c989f210fd7027085731478ab5922/2

/updater/fbd1375f6a9049ad9dbd0e0a38be4a8a/2

/updater/5122379f40e7431638125d6ee939827c/2

/updater/cd9d21a004c3a578ac0da997193315be/2

/updater/43028ea498e6ec76f5b69d47f0ede71e/2

/updater/5f3f651c20e5bfd5ddab74536ddb3b7b/2

/updater/bae58af607a8c88c08b9843aaec0327f/2

Domains being used for command and control:

service-stat.com

updservice.net

autowinupd.net

autoavupd.net

service-update.net

full-statistic.com

service-statistic.com

stetsen.no-ip.org

autodbupd.net

automsupd.net

titanium.onedumb.com

statuswork.ddns.info

fullstatistic.com

service-statistic.com

autosrvupd.net

full-statistic.com

fullstatistic.com

service-update.net

storestatistic.com

updsvc.net

fullstatistic.com

reservestatistic.net

srvupd.com

automsupd.net

stotsin.ignorelist.com

autosrvupd.net

autosrvupd.net

reserve-statistic.com

autodbupd.net

workstat.hopto.org

service-statistic.com

full-statistic.com

srvupd.com

updsvc.net

automsupd.net

autosrvupd.net

assetsstatistic.com

assetsstatistic.com

assetsstatistic.com

srvupd.com

updsvc.net

reserve-statistic.com

reserve-statistic.com

autodbupd.net

fullstatistic.com

reservestatistic.net

reserve-statistic.com

srvupd.com

updsvc.net

fullstats-srv.net

stats-srv.com

fullstats-srv.com

statssrv.com

reserv-stats.net

reserv-stats.com

pushstatistics.com

stats-upd.net

reservstats.com

push-statistics.net

push-stats.net

push-stats.com

fullstatistic.com

Interestingly, most of the domains above are registered with the following contact email address: gmvjcxkxhs@whoisservices.cn contact info: "Whois Privacy Protection Service|Whois Agent", which indicates a single service was used to register these domains. A quick search of our domain registration database indicates that over 7,000 domains have been registered using this service.

The majority of Command and Control related IP addresses can be attributed back to the following ASN:

As you can see below, the malware is using an integrated services language based on SQL, called WQL (SQL for Windows Management Interface). Below you can see a snippet of code that queries the target system's database to learn the security settings.

Here is the direct WQL query to the Windows Management Interface to learn more about installed AntiVirus.

The malware authors were kind enough to leave us a list of AV engines that they were attempting to detect.

Interestingly, the malware attempts to detect the existence of the "Sandboxie" tool commonly used by researchers to analyze malware. Below is a check executed by the malware for the presence of Sandboxie DLLs.

Below, we see a direct check executed by the malware to search for Oracle/Sun VirtualBox services.

AV and Security checks complete, install the malware service...

The malware contains a “Resources” section that is used by the code as shown below.

This confirms our suspicion that the software we have analyzed so far is a loader program to install the malware service.

The obfuscated code below is used to confirm that the security checks above executed correctly.

Once the security checks have been validated and the resources section properly decoded, the loader attempts to install the malware as a service. Below is the sequence of functions offered by the installer.

Interestingly, the buffer below contains references to the "3proxy" open source proxy software that we have previously seen associated with the Shylock/Caphaw malware.

3proxy is a tiny proxy which can be installed on Windows-based systems (hxxxp://www.3proxy.ru/) . More information about 3proxy below.

Why Embed 3proxy in Malware?

A lightweight proxy such as 3proxy provides functionality in advanced malware to allow attackers to tunnel traffic directly through the malware and directly onto a target network. In these cases, the Proxy is configured as a reverse proxy, with the ability to tunnel through NAT (Network Address Translated) environments to create a connection to the attacker's infrastructure and initiate a backdoor directly into the target network (in this case, using SSH over port 443). The use of reverse proxies indicates that the cyber-criminals plan to manually scan a network and move laterally towards more critical apps and information (such as databases, critical systems, source-code, and document repositories) than might exist on the original machine that has been compromised.